MGT433: SANS Security Awareness: How to Build, Maintain, and Measure a Mature Awareness Program

This training will assist me and my team with putting a much better security awareness program in place. The maturity model is a great resource.

James Pomeroy, Seim Johnson LL

This course has content every employee can use. Whether from a large company or small. It has sound starting point everyone can use.

Donna Hickman, GE Capital Retail Bank

Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their workforce. As a result, people, not technology, have become the most common target for cyber attackers. The most effective way to secure the human element is to establish a mature security awareness program that goes beyond just compliance, changes peoples' behaviors and ultimately creates a secure culture. This intense two-day course will teach you the key concepts and skills needed to do just that, and is designed for those establishing a new program or wanting to improve an existing one. Course content is based on lessons learned from hundreds of security awareness programs from around the world. In addition, you will learn not only from your instructor, but from extensive interaction with your peers. Finally, through a series of labs and exercises, you will develop your own custom security awareness plan that you can implement as soon as you return to your organization.

You Will Learn:

The Security Awareness Maturity Model and how to leverage it as the roadmap for your awareness program

How to identify different target groups and deploy role based training.

How to effectively engage and communicate to your workforce, to include addressing the challenges of different roles, generations and nationalities

How to sustain your security awareness program long term, including advanced programs such as gamification and ambassador programs

How to measure the impact of your awareness program, track reduction in human risk, and communicate the program's value to leadership

Course Syllabus

MGT433.1: Plan and Build

CPE/CMU Credits: 6

Topics

The five stages of the Security Awareness Maturity Model

The three variables of risk and their role in awareness

Why humans are so vulnerable and the latest methods cyber attackers use to exploit these vulnerabilities

The learning continuum: awareness, training, and education

Steps to gaining and maintaining leadership support

How to develop and leverage an effective Advisory Board

B.J. Fogg Behavior Model and how it applies to your overall strategy of changing workforce behavior

Developing a strategic plan based on three key questions: Who, What, and How

Who: Identifying the different targets of your awareness program. Whose behaviors do you want to change? NOTE: This section includes an interactive group lab where you identify and analyze key target groups in your organization

What: Identifying and prioritizing the top human risks to your organization and the behaviors that will most effectively manage those risks. NOTE: This section includes two interactive labs, one conducting a qualitative risk analysis for your organization and a second lab on behavioral management by defining key learning objectives

MGT433.2: Implement, Maintain and Measure

CPE/CMU Credits: 6

Topics

How: How will you communicate your program and train your workforce. This includes defining why cybersecurity is important to your organization, different training modalities and the most successful strategies to engage people.

The effective use of imagery, to include imagery within diverse or international environments

Top tips for effective translation / localization

The two different communication methods: primary and reinforcement, and the advantages / disadvantages of each

How to effectively develop and provide instructor-led training (ILT)

How to effectively develop and deploy online / computer based training (CBT)

Long term sustainment for effective culture impact, to include gamification and ambassador programs

Design, deploy, and leverage metrics to measure the impact of your awareness program, including how to effectively establish a global phishing program and measure culture. Note: This section includes an interactive lab in identifying and defining the top security awareness metrics specific to your program.

Walking through the final planning and execution steps, to include documenting a comprehensive project plan

"MGT433 gives great view on how to build a full security program." - Eman Al Awadhi, TRA

Author Statement

Having been actively involved in information security for more than 20 years, I have seen one constant factor: people are the number one target for cyber attackers because we fail to properly invest in and secure them. Once trained, your workforce will become your greatest asset, not only in preventing incidents but being able to quickly identify and report them, developing a far more resilient organization. I am extremely excited about MGT433, as we provide organizations with the skills, resources and community they need to build a high-impact security awareness program that will not only change behaviors, but also measure that change.

- Lance Spitzner

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.